Forwarded: [PATCH] gfs2: remove WARN_ON_ONCE in gfs2_check_blk_type

[syzbot <syzbot+26e96d7e92eed8a21405@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: remove WARN_ON_ONCE in gfs2_check_blk_type
Author: tristmd@gmail.com

From: Tristan Madani <tristan@talencesecurity.com>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


gfs2_check_blk_type() calls gfs2_rbm_from_block() and wraps the error
check in WARN_ON_ONCE():

    error = gfs2_rbm_from_block(&rbm, no_addr);
    if (!WARN_ON_ONCE(error)) {

When the block address falls outside the resource group (which happens
with corrupted on-disk metadata), gfs2_rbm_from_block() returns an
error and the WARN_ON_ONCE fires, producing a kernel stack trace.

The error is already handled correctly by the function -- the block
type test is skipped and the error code propagates to the caller.
Only the WARNING itself is problematic.

Replace the WARN_ON_ONCE with a plain error check and map the error
to -ESTALE for the caller (gfs2_fh_to_dentry).

Reported-by: syzbot+26e96d7e92eed8a21405@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=26e96d7e92eed8a21405
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/gfs2/rgrp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -2627,7 +2627,10 @@ int gfs2_check_blk_type(struct gfs2_sbd *sdp, u64 no_addr, unsigned int type)

 	rbm.rgd = rgd;
 	error = gfs2_rbm_from_block(&rbm, no_addr);
-	if (!WARN_ON_ONCE(error)) {
+	if (error) {
+		error = -ESTALE;
+	} else {
 		/*
 		 * No need to take the local resource group lock here; the
 		 * inode glock of @no_addr provides the necessary
--
2.43.0